June 24, 2016

E-mails from inside the NSA bureaucracy

Earlier this month, the NSA declassified a huge set of internal e-mails, following FOIA-requests about the issue of whether Edward Snowden had raised concerns about the NSA's surveillance programs through proper channels inside the agency.

Here, we will take a look at the administrative details these internal NSA e-mails provide. Next time we will see what their content says about the concerns that Snowden claimed to have raised.

Internal e-mail from NSA director Michael Rogers. In the signature block we see his
NSANet and SIPRNet e-mail addresses and his non-secure phone number (all redacted)(Click to enlarge - See also: NSA director Alexander's phones)

E-mail addresses

Except from the classification markings, the NSA's internal e-mails aren't very different from those exchanged by most other people around the world. But they do show for example some details about the internal communications networks of the agency.

From the signature blocks underneath the e-mails we learn that, depending on their function and tasks, NSA employees have e-mail addresses for one or more of the following four computer networks:

- NSANet for messages classified up to Top Secret/SCI (Five Eyes signals intelligence). On this network the address format for e-mail is jjdoe@nsa

- JWICS for messages classified up to Top Secret/SCI (US intelligence). The address format is jjdoe@nsa.ic.gov

- SIPRNET for messages classified up to Secret (mainly US military). The address format is jjdoe@nsa.smil.mil

- UNCL for unclassified messages, likely through NIPRNet. The address format is jjdoe@nsa.gov

For e-mail, all NSA employees have display names in a standardized format: first comes their family name, given name and middle initial, sometimes followed by "Jr" or a high military rank. Then follows "NSA" and the proper organizational designator, then "USA" for their nationality and finally "CIV" for civilian employees, "CTR" for contractors, "USN" for Navy, "USA" for Army or "USAF" for Air Force members.

Thus, the display name of the current NSA director is "Rogers Michael S ADM NSA-D USA USN", while that of the previous director was "Alexander Keith B GEN NSA-D USA USA". In 2012, Snowden had the display name "Snowden Edward J NSA-FHX4 USA CTR":

E-mail from Snowden as systems administrator in Hawaii, August 2012
The redacted part of the classification marking
seems to hide a dissemination marking*(Click to enlarge)

The organizational designator FHX4 is interesting. FH stands for Field station Hawaii, but X4, being unit 4 of division X, is still a mystery. The field station divisions have the same designators as those at NSA headquarters, where there's also a division X, but so far no document gave an indication what it does.

The signature block shows that Snowden worked as a systems administrator for Dell's Advanced Solutions Group and that he was deployed at the Technology Department of NSA's Cryptologic Center in Hawaii, more specifically at the Office of Information Sharing. The latter has the organizational designator (F)HT322 and is therefore different from that in Snowden's display name.

In the declassified messages we only see display names, not the actual e-mail addresses behind them. Therefore, only the classification markings on the messages provide an indication on which network they were exchanged.

From an e-mail that was declassified earlier we know that in April 2013 Snowden used the address "ejsnowd@nsa.ic.gov", which is the format for the JWICS network, but was apparently used on NSANet.*

From one of the declassified e-mails about NSA's internal investigation it seems that Snowden had just two mail accounts: "we have his TS [Top Secret] NSANet email and his UNCLASSIFIED NSA.gov email", but this is followed by some redacted lines.*

Finally, the signature blocks of some NSA employees also provide a link to their dropbox for sending them files that may be too large for e-mail. Such dropboxes have addresses like "http://urn.nsa.ic.gov/dropbox/[...]".

Example of an NSA message, with in the signature block e-mail addresses for JWICS and an
unclassified network, and phone numbers for the NSTS and the non-secure phone networks
OPS 2B is the wider and lower one of the two black NSA headquarters buildings(Click to enlarge)

Telephone numbers

Besides e-mail addresses, many messages also have phone numbers in the signature blocks. They show numbers for one or more of the telephone systems used at NSA:

- NSTS, which stands for National Secure Telephone System and is NSA's internal telephone network for secure calls. Numbers for this network have the format 969-8765 and are often marked with "(s)" for "secure"

- STE, which stands for Secure Terminal Equipment, being a telephone device capable of encrypting phone calls on its own. Telephone numbers can be written in the format (301) 234-5678 or as STE 9876.

- BLACK, CMCL or Commercial, which are numbers for non-secure telephones that may also access the public telephone network. They have the regular format (301) 234-5678 and are often marked with "(b)" for "black" (as opposed to "red") or with "(u)" for unclassified.

The NSA/CSS Threat Operations Center (NTOC) at NSA headquarters, with from left to right:
an STE secure phone, a probably non-secure telephone and a phone for the NSTS(Photo: NSA, 2012 - Click to enlarge)

TIKICUBE

Finally, releasing such a huge set of documents in which many parts had to be redacted always bears the risk that something is overlooked. That also happened this time, as in one e-mail from an investigator from NSA's Counterintelligence Investigations unit Q311 they forgot to redact the codeword TIKICUBE:

TIKICUBE appears to be a unit of the Investigations Division Q3. Whether this might be a special unit investigating the Snowden leak isn't clear though.

The abbreviations behind the investigators name are: CFE for Certified Fraud Examiner and CISSP for Certified Information Systems Security Professional.

We also see that this investigation division is not located at the NSA headquarters complex at Fort Meade, but at FANX. This stands for Friendship Annex, a complex of NSA office buildings in Linthicum, near Baltimore, some 12 km. or 7.5 miles north-east of Fort Meade.

The famous blue-black glass headquarters buildings are OPS 2A and OPS 2B, while the SIGINT division is apparently in the flat 3-story building from the late 1950s, designated OPS 1.

US Red Phones

Sequence of the real Red Phones, not for the Washington-Moscow Hotline, but for the US Defense Red Switch Network (DRSN). The phones shown here were in use from the early eighties up to the present day and most of them were made by Electrospace Systems Inc. They will be discussed on this weblog later.

Contact

For questions, suggestions and other remarks about this weblog in general or any related issues, please use the following e-mail address: info (at) electrospaces.net

For sending an encrypted e-mail message, you can use the PGP Public Key under this ID: B4515E04

You can also communicate through Twitter: @electrospaces or XMPP/Jabber chat by using the address electrospaces (at) jabber.de

The title picture of this weblog shows the watch floor of the NSA's National Security Operations Center (NSOC) in 2006. The URL of this weblog recalls Electrospace Systems Inc., the company which made most of the top level communications equipment for the US Government. All information on this weblog is obtained from unclassified or publicly available sources.QW5kIGZpbmFsbHksIHRoaXMgaXMgd2hhdCBhIHRleHQgbG9va3MgbGlrZSwgd2hlbiBpdCdzIG9ubHkgZW5jb2RlZCB3aXRoIHRoZSBzdGFuZGFyZCBCYXNlNjQgc3lzdGVtLiBHdWVzcyBob3cgY29tcGxpY2F0ZWQgaXQgbXVzdCBiZSB3aGVuIGEgcmVhbCBzdHJvbmcgYWxnb3JpdGhtIHdhcyB1c2VkLg==